diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 4ca258f..92df08d 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -208,7 +208,7 @@ enableaudit: $(BASE_CONF)
#
$(APPDIR)/customizable_types: $(BASE_CONF)
@mkdir -p $(APPDIR)
- $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
+ $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
$(verbose) install -m 644 $(TMPDIR)/customizable_types $@
########################################
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
index c6df7b6..89b2d1d 100644
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -230,7 +230,7 @@ $(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC)
#
$(APPDIR)/customizable_types: $(POLICY_CONF)
@mkdir -p $(APPDIR)
- $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
+ $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
$(verbose) install -m 644 $(TMPDIR)/customizable_types $@
########################################
diff --git a/refpolicy/policy/modules/services/cups.fc b/refpolicy/policy/modules/services/cups.fc
index 4fcfb99..c744fe9 100644
--- a/refpolicy/policy/modules/services/cups.fc
+++ b/refpolicy/policy/modules/services/cups.fc
@@ -35,7 +35,8 @@
/usr/share/hplip/hpssd.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)? -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index cc87327..eb8bdee 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -126,6 +126,7 @@ miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
sysnet_read_config(ftpd_t)
+sysnet_use_ldap(ftpd_t)
userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index bb7a992..a81220b 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -315,6 +315,7 @@ files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
+kernel_dontaudit_read_system_state(postfix_map_t)
corenet_tcp_sendrecv_all_if(postfix_map_t)
corenet_udp_sendrecv_all_if(postfix_map_t)
@@ -358,8 +359,7 @@ seutil_read_config(postfix_map_t)
sysnet_read_config(postfix_map_t)
ifdef(`targeted_policy',`
- # FIXME: would be better to use a run interface
- role system_r types postfix_map_t;
+ term_dontaudit_use_generic_ptys(postfix_map_t)
')
tunable_policy(`read_default_t',`
diff --git a/refpolicy/policy/modules/services/postgresql.if b/refpolicy/policy/modules/services/postgresql.if
index e030d16..818ba7c 100644
--- a/refpolicy/policy/modules/services/postgresql.if
+++ b/refpolicy/policy/modules/services/postgresql.if
@@ -113,10 +113,12 @@ interface(`postgresql_tcp_connect',`
#
interface(`postgresql_stream_connect',`
gen_require(`
- type postgresql_t, postgresql_var_run_t;
+ type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
')
files_search_pids($1)
allow $1 postgresql_t:unix_stream_socket connectto;
allow $1 postgresql_var_run_t:sock_file write;
+ # Some versions of postgresql put the sock file in /tmp
+ allow $1 postgresql_tmp_t:sock_file write;
')
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index 0be0cd7..efff376 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -50,6 +50,7 @@ corenet_tcp_sendrecv_all_ports(privoxy_t)
corenet_non_ipsec_sendrecv(privoxy_t)
corenet_tcp_bind_http_cache_port(privoxy_t)
corenet_tcp_connect_http_port(privoxy_t)
+corenet_tcp_connect_http_cache_port(privoxy_t)
corenet_tcp_connect_ftp_port(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 306e2ae..0339015 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -160,6 +160,7 @@ optional_policy(`
corenet_non_ipsec_sendrecv(samba_net_t)
corenet_tcp_bind_all_nodes(samba_net_t)
sysnet_read_config(samba_net_t)
+ corenet_tcp_connect_ldap_port(samba_net_t)
')
optional_policy(`
@@ -269,6 +270,7 @@ files_list_mnt(smbd_t)
init_use_fds(smbd_t)
init_use_script_ptys(smbd_t)
+init_rw_utmp(smbd_t)
libs_use_ld_so(smbd_t)
libs_use_shared_libs(smbd_t)
diff --git a/refpolicy/policy/modules/services/spamassassin.fc b/refpolicy/policy/modules/services/spamassassin.fc
index 37093c0..260950c 100644
--- a/refpolicy/policy/modules/services/spamassassin.fc
+++ b/refpolicy/policy/modules/services/spamassassin.fc
@@ -1,5 +1,5 @@
-/usr/bin/sa-learn -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index ecbf208..9a72969 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -173,9 +173,13 @@ dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
+dev_read_urand(pam_console_t)
fs_search_auto_mountpoints(pam_console_t)
+mls_file_read_up(pam_console_t)
+mls_file_write_down(pam_console_t)
+
storage_getattr_fixed_disk_dev(pam_console_t)
storage_setattr_fixed_disk_dev(pam_console_t)
storage_getattr_removable_dev(pam_console_t)
@@ -206,8 +210,8 @@ libs_use_shared_libs(pam_console_t)
logging_send_syslog_msg(pam_console_t)
-mls_file_read_up(pam_console_t)
-mls_file_write_down(pam_console_t)
+miscfiles_read_localization(pam_console_t)
+miscfiles_read_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 02370c7..b65ef96 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -83,12 +83,14 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/NX/lib/libXcomp.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libjpeg.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -189,6 +191,8 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
# vmware
/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/HConfig.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index ce71126..99cc380 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -113,3 +113,29 @@ interface(`mount_send_nfs_client_request',`
allow $1 mount_t:udp_socket rw_socket_perms;
')
+########################################
+##
+## Execute mount in the unconfined mount domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mount_domtrans_unconfined',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type unconfined_mount_t, mount_exec_t;
+ ')
+
+ domain_auto_trans($1,mount_exec_t,unconfined_mount_t)
+
+ allow $1 unconfined_mount_t:fd use;
+ allow unconfined_mount_t $1:fd use;
+ allow unconfined_mount_t $1:fifo_file rw_file_perms;
+ allow unconfined_mount_t $1:process sigchld;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index ba89ae1..acf6d73 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -14,6 +14,12 @@ role system_r types mount_t;
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
+ifdef(`targeted_policy',`
+ type unconfined_mount_t;
+ domain_type(unconfined_mount_t)
+ domain_entry_file(unconfined_mount_t,mount_exec_t)
+')
+
########################################
#
# mount local policy
@@ -151,3 +157,13 @@ optional_policy(`
optional_policy(`
samba_domtrans_smbmount(mount_t)
')
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+ifdef(`targeted_policy',`
+ files_manage_etc_runtime_files(unconfined_mount_t)
+ unconfined_domain(unconfined_mount_t)
+')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 17e2fdb..a28a26c 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -36,7 +36,10 @@ ifdef(`targeted_policy',`
logging_domtrans_auditctl(unconfined_t)
+ mount_domtrans_unconfined(unconfined_t)
+
seutil_domtrans_restorecon(unconfined_t)
+ seutil_domtrans_semanage(unconfined_t)
userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
@@ -140,10 +143,6 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- seutil_domtrans_semanage(unconfined_t)
- ')
-
- optional_policy(`
sysnet_domtrans_dhcpc(unconfined_t)
')